Install the Keyfactor Command Components on the Keyfactor Command Server(s)

Before you begin the installation, make sure that you have reviewed the system requirements (see System Requirements), completed the prerequisites (see Planning & Preparing), and have your Keyfactor Command license file ready to upload during the configuration.

The following installation steps show all possible Keyfactor Command features enabled. Your Keyfactor Command license may not cover all Keyfactor Command features. If it does not, unlicensed features will not be shown in the configuration wizard. You may skip those configuration steps.

To begin the Keyfactor Command installation, execute the KeyfactorPlatform.msi file from the Keyfactor Command installation media and install as follows.

  1. On the first installation page, click Next to begin the setup wizard.

    Figure 501: Install: Begin Setup Wizard

  2. On the next page, read and accept the license agreement and click Next. Click Print to review a printed copy if desired.
  3. On the next page, select the components to install. For a server with the default roles collocated, leave the default options and click Next to continue. If desired, you can highlight Keyfactor Command and click Browse to select an alternate installation location for the files. The default installation location is:

    C:\Program Files\Keyfactor\Keyfactor Platform\

    Figure 502: Install: Select Components

    Tip:  Refer to Keyfactor Command Server(s) for a description of these components.

    Table 854: Available components for Keyfactor.

    Component Description
    Management Portal Mandatory. Web-based management console for configuring all aspects of Keyfactor. The Keyfactor API will be installed with this component.
    Windows Services Mandatory. Includes the timer Windows service to manage timed events, such as CA Sync, PKI monitoring and system maintenance.
    Web API Optional. The Keyfactor API component. This allows the Keyfactor API for external use to be installed on a separate server from the Management Portal, if desired.
    Orchestrator Services API Optional. Not required if neither agents nor orchestrators will be utilized by Keyfactor Command. Web based orchestrator services API.
  4. On the next screen, click Install.
  5. On the final installation wizard page, leave the Launch the Configuration Wizard now box selected and click Finish. The configuration wizard should start automatically. This can take several seconds.
  6. On the Keyfactor Command Database Configuration page, enter the name, IP address, or fully qualified domain name (FQDN) of your SQL server and select a Credential Type of either Windows or SQL.

    Important:  Keyfactor Command uses an encrypted channel to connect to the SQL server by default, which requires configuration of an SSLClosed TLS (Transport Layer Security) and its predecessor SSL (Secure Sockets Layer) are protocols for establishing authenticated and encrypted links between networked computers. certificate on the SQL server (see Using SSL to Connect to SQL Server). The name or IP address you enter here for your SQL server must be available as a SANClosed The subject alternative name (SAN) is an extension to the X.509 specification that allows you to specify additional values when enrolling for a digital certificate. A variety of SAN formats are supported, with DNS name being the most common. in this certificate unless you have disabled the encrypted connection for Keyfactor Command (see Configurable SQL Connection Strings).
    • If you select Windows as the Credential Type for connecting to SQL, click the Connect button.

      Figure 503: Windows Authentication

    • If you select SQL as the Credential Type for connecting to SQL, the window will expand to include fields to enter a SQL username and password. Enter a username and password to authenticate to SQL, and click the Connect button.

      Note:  The password must not contain single or double quotes. An error will be shown if single or double quotes are used in the password.

      Figure 504: SQL Authentication

    Note:  For the permissions required for this user, see Grant Permissions in SQL.
    Note:  Keyfactor Command supports configuration of a base SQL connection templateClosed A certificate template defines the policies and rules that a CA uses when a request for a certificate is received. that is used for all connections Keyfactor Command makes to SQL. For more information, see Configurable SQL Connection Strings.
    Note:  Your SQL server must be configured to support mixed mode authentication in order to use the SQL option.
  7. After the Connect button is clicked, the database name field will be activated. You can either enter the name of the desired database—for either a new or existing database—or click Browse to scroll through a list of existing databases.

    Note:  On subsequent runs of the configuration wizard, the database name field will be pre-populated with the database name used on the last completed run. Any change to the server connection fields (server name, authentication type, etc.) will require the Connect button to be used again to unlock the database name field and the Continue button.
  8. Click the Continue button. You will receive a confirmation dialog if any changes will be made to the database at this stage.

    Note:  If any of the following situations occurs, you will receive a message:
    • The selected database does not exist and will be created.
    • The selected database is empty and not associated with Keyfactor Command; it will be populated with the Keyfactor Command schema.
    • The selected database does not match the current product schema and will be upgraded.
    • The selected database is not empty and is not associated with Keyfactor Command.
    • The user does not have access to the database.
    • An SSL certificate is not correctly configured on the SQL server.
  9. On the Keyfactor Command Encryption Warning page, read and understand the warning. Make note of the referenced documents to provide to your SQL team. Take advantage of the option to make a backup of the Database Master Key (DMK) by entering a path to a directory on your SQL server along with a filename for the backup file and a password to encrypt the file and clicking Backup. The user running the Keyfactor Command installer must have write permissions to this directory. Click Continue.

    Important:  Keyfactor Command uses Microsoft SQL Server encryption to protect security sensitive data, including service account credentials. Backup of the SQL server Database Master Key (DMK) is of critical importance in database backup and recovery operations. The backup file of the DMK and the password should be stored in a safe, well-documented location. Without the file and password created with this process, some data that is encrypted within the Keyfactor Command database will be unrecoverable in a disaster recovery scenario. For more information, see SQL Encryption Key Backup.

    If you choose to install Keyfactor Command in the default location, the referenced documents can later be found here:

    C:\Program Files\Keyfactor\Keyfactor Platform\Configuration\DMKBackup.docx

    C:\Program Files\Keyfactor\Keyfactor Platform\Configuration\DMKRestore.docx

    Figure 505: Configure: Backup Database Master Key

  10. On the Keyfactor Command License upload page, click Upload and browse to locate the license file provided to you by Keyfactor. This file should have the extension CMSLICENSE. Once the uploaded license shows as valid, click Continue.

    Figure 506: Configure: Upload License

  11. In the Keyfactor Command configuration wizard, you can choose to upload a configuration file to populate the fields. You may have a file saved from a previous run of the configuration wizard or you may be provided one by Keyfactor. To upload a file, in the configuration wizard, click File at the top of the wizard and choose Open Data File. Browse to locate the configuration file. Configuration files have an extension of .cmscfg. The file may be protected with a password. If it is, you will need to provide this password to open the file. Continue with the remainder of the steps, reviewing the tabs to assure that the data is complete and correct.

    Note:  If you open a configuration file that contains configuration information for an identity provider other than Active Directory but does not set OAuth enabled to true, the additional identity provider information will not be loaded.

    Figure 507: Configure: Open Data File

    Note:  At the bottom of the configuration wizard, if the database server name is longer than will fit in the provided window, it will be truncated and an ellipsis will be added.
  12. Application Pools Tab
  13. A separate application pool is required for each virtual directory that will be created for Keyfactor Command in IIS. If you’ve chosen to install all the Keyfactor Command components, this will be five application pools for the virtual directories with the following names, by default:

    On the Application Pools tab of the configuration wizard, click Add, change the default application pool name, if desired, and enter the user name (DOMAIN\username format) and password of the Active Directory service account under which the application pool will run. You may use the people picker button () to browse for the account. Click the verify button () to confirm that the username and password entered are valid. Assuming the verification completes successfully, click Save.

    Tip:  The same service account may be used for all application pools.

    Figure 508: Configure: Application Pools

  14. Authentication Tab
  15. Important:  Before migrating an existing implementation from Active Directory to OAuth or vice versa, please see Migrating to a New Identity Provider.

    On the Authentication tab of the configuration wizard, check the Use OAuth box if you wish to use an identity provider other than Active Directory as either your primary identity provider or a federation gateway to another identity provider. If you do not select this, you will be using the default identity provider of Microsoft Active Directory. If you checked OAuth, configure it as follows.

    Important:  Only one identity provider may be configured at a time on each Keyfactor Command instance.

    On the Authentication tab in the top section, accept the defaults for the Session Expiration and Cookie Expiration or modify these if appropriate for your environment. The Session Expiration value determines the length of time a browser session in the Keyfactor Command Management Portal will remain logged in before the user is prompted to re-authenticate regardless of whether the session is idle or in active use. The Cookie Expiration value determines the length of time the authentication cookie for the Keyfactor Command Management Portal browser session is considered valid. After half of the setting's duration, Keyfactor Command will attempt to use a refresh token to update the cookie. If this fails, the user's session will be terminated. The cookie renewal is seamless from the user’s perspective (there is no prompt for credentials).

    Note:  For Keyfactor Identity Provider, these values should match those configured for the SSO Session Max and Access Token Lifespan in Keyfactor Identity Provider (see Configuring Keyfactor Identity Provider and Collecting Data for the Keyfactor Command Installation). If you’ve opted not to issue refresh tokens in Keyfactor Identity Provider, the Cookie Expiration value should match the Session Expiration value.
  16. Database Tab
  17. On the Database tab in the top section, select an Authentication Mode for ongoing communications to SQL server—Windows Authentication or SQL Server Authentications. Your SQL server must be configured to support mixed mode authentication in order to use the SQL server authentication option.

    • If you select Windows Authentication, login(s) will be created in SQL for the application pool user(s) you created on the Application Pools tab and granted appropriate permissions (other than the application pool for the Logi Analytics Platform, which does not need database access).

    • If you choose SQL server authentication, enter a User and Password of a SQL administrator for the Keyfactor Command SQL database. If the user does not exist in SQL, it will be created and granted the necessary permissions for management of the Keyfactor Command database. If the user already exists in SQL, it will be granted the necessary permissions. If the database you originally connected to is an Azure database, SQL Server Authentication is the only option provided.

    For more information, see Grant Permissions in SQL.

    If desired, check the Configure Encryption box. This option allows you to encrypt select sensitive data stored in the Keyfactor Command database using a separate encryption methodology utilizing a Keyfactor Command-defined certificate on top of the SQL server encryption noted above. This additional layer of encryption protects the data in cases where the SQL Server master keys cannot be adequately protected. Read and understand the encryption warning. This warning applies to implementations with more than one Keyfactor Command server.

    Note:  In an environment where there are multiple copies of Keyfactor Command pointing to the same database, each server running a Keyfactor Command instance will need to have the same encryption certificate AND the corresponding private keyClosed Private keys are used in cryptography (symmetric and asymmetric) to encrypt or sign content. In asymmetric cryptography, they are used together in a key pair with a public key. The private or secret key is retained by the key's creator, making it highly secure..

    Select Application and SQL for the Encryption Type and click the Select button to choose a certificate from the Personal Certificate store of the Local Computer with which to encrypt the data. Only valid certificates with the appropriate key usage will appear in the selection dialog. See Acquire a Public Key Certificate for the Keyfactor Command Server.

    If you enable application-level encryption, your certificate must either be using a key storage provider (KSP) or you must manually grant permissions to the certificate’s private key (see Application-Level Encryption).

    Tip:  If you need to reset the encryption level to remove application-level encryption, run the configuration wizard again and select the SQL Only option. You must ensure that the server you are re-running the configuration wizard on has both the certificate used for application-level encryption and its associated private key. When Keyfactor Command notices that application-level encryption has been disabled, it will process all the secrets in the database and remove the additional encryption. The data will then be re-saved to the secrets table using only SQL-level encryption.

    Figure 511: Configure: Encryption Warning

    Figure 512: Configure: Database

  18. Service Tab
  19. On the Service tab, enter the user name and password of the Active Directory (DOMAIN\username format) or local (HOSTNAMEClosed The unique identifier that serves as name of a computer. It is sometimes presented as a fully qualified domain name (e.g. servername.keyexample.com) and sometimes just as a short name (e.g. servername).\username format) service account under which the Keyfactor Command Service will run. This can be the same service account used for the application pool(s) or a different service account. You may use the people picker button () to browse for the account. Click the verify button () to confirm that the username and password entered are valid. If desired, check the Start service on bootup box to start the Keyfactor Command Service at system start.

    Tip:  Checking Start service on bootup sets all jobs of type TimerService to true in the Keyfactor Command service appsettings.json file. These settings can be modified on a job-by-job basis in this appsettings.json file (see Keyfactor Command Service Job Settings for more information).

    Figure 513: Configure: Service

  20. Email Tab
  21. On the Email tab, enter the FQDN of your SMTPClosed Short for simple mail transfer protocol, SMTP is a protocol for sending email messages between servers. server, the SMTP port (default is 25), and the sender name and account. Depending on the email configuration in your environment, the sender account may need to be a valid user on your mail server (using Active Directory credentials) or you may be able to put anything in this field (if your mail server supports anonymous connections). You may use the people picker button () to browse for the sender account if you are using a valid account. Select the Use SSL box if this option is supported by your mail server and select the appropriate authentication method for your environment. If your mail server requires that you provide a username and password for a valid user, enter that Active Directory username and password in the fields at the bottom of the page after selecting the Explicit credentials radio button. You may use the people picker button () to browse for the account. Click the verify button () to confirm that the username and password entered are valid. The user you select here must match the email address you set in the Sender Account field if you select Explicit credentials. The information entered on this tab may later be changed in the Keyfactor Command Management Portal.

    Figure 514: Configure: Email

  22. Keyfactor Portal Tab
  23. On the Keyfactor Portal tab in the top section, enter the FQDN that you will use to access the Keyfactor Command Management Portal in the Host Name field. This can be either the actual host name of the server on which you are installing the Keyfactor Command Administration component or a DNS alias pointing to the server. If you have multiple Keyfactor Command Management Portal servers with load balancing, this will be a DNS name pointing to your load balancer. Select the Default Web Site in the Web Site dropdown, or other web site as desired. Accept the default for the Virtual Directory and select the application pool for this virtual directory that you created earlier in the Application Pool dropdown. Check or uncheck the Use SSL box as appropriate for your environment.

    Figure 515: Configure: Keyfactor Portal

  24. Administrative Users Tab
  25. On the Administrative Users tab, click Add to add users or groups that you will use to control administrative access to the Keyfactor Command Management Portal.

    Enter only the users and/or group(s) to which you want to grant full administrative rights to the Keyfactor Command Management Portal. Following initial configuration, you can create other permission levels and grant those permission levels to other users or groups through the Keyfactor Command Management Portal. See Security Roles and Claims for more information.

  26. Dashboard and Reports Tab
  27. On the Dashboard and Reports tab, enter the FQDN of the server hosting the Keyfactor Command Management Portal—where the Logi Analytics Platform is installed—in the Host Name field. This can be either the actual host name of the server on which you are installing the Keyfactor Command Management Portal component or a DNS alias pointing to the server. Check or uncheck the Use SSL box as appropriate for your environment. Select the Default Web Site in the Web Site dropdown, or other web site as desired. Accept the default for the Virtual Directory and select the application pool for this virtual directory that you created earlier in the Application Pool dropdown.

    Note:  If you are installing the Management Portal in a load balanced configuration, see Appendix - Logi Load Balancing: Keyfactor Command Configuration Wizard Setup.

    Figure 518: Configure: Dashboard and Reports

  28. Orchestrators Tab
  29. On the Orchestrators tab, enter the FQDN of the server hosting the Keyfactor Command orchestrators web site in the Host Name field. This can be either the actual host name of the server on which you are installing the Keyfactor Command Services (Orchestrator Services API) components or a DNS alias pointing to the server. Select the Default Web Site in the Web Site dropdown, or other web site as desired. Accept the default for the Virtual Directory and select the application pool for this virtual directory that you created earlier in the Application Pool dropdown. Check or uncheck the Use SSL box as appropriate for your environment.

    Figure 519: Configure: Orchestrators with Standard Authentication

  30. API Tab
  31. On the API tab, enter the FQDN of the server hosting the Keyfactor Command KeyfactorAPI service in the Host Name field. This can be either the actual host name of the server on which you are installing the Keyfactor Command Services (Keyfactor API) components or a DNS alias pointing to the server. Select the Default Web Site in the Web Site dropdown, or other web site as desired. Accept the default for the Virtual Directory and select the application pool for this virtual directory that you created earlier in the Application Pool dropdown. Check or uncheck the Use SSL box as appropriate for your environment.

    Tip:  Keyfactor Command includes embedded documentation which includes links to the Keyfactor API Reference and Utility from within the documents. If the API is installed in a non-standard virtual directory, these links will not work from the documentation. Keyfactor, recommends accepting the default virtual directory during installation of Keyfactor Command to avoid issues with this.

    Figure 521: Configure: API

  32. Audit Configuration Tab
  33. On the Auditing Configuration tab, enter the number of years to retain audit data in the Audit Entry Retention Period (years) field. By default, seven years of data is retained. The audit log cleanup job runs once daily and removes any audit log entries older than the time specified in the retention parameterClosed A parameter or argument is a value that is passed into a function in an application. except those in the following protected categories:

    • Security

    • CertificateCollections

    • ApplicationSettings

    • SecurityIdentities

    • SecurityRoles

    The auditing settings can be updated on the auditing tab of the applications settings page following installation (see Application Settings: Auditing Tab).

    Figure 522: Configure: Audit

  34. At this point in the configuration, if you have populated all the required fields, the yellow warning banner at the top of the configuration wizard should have disappeared. If it is still visible, click the dropdown arrow to open the Warnings page and review the warning(s) to see what needs to be corrected. Under some circumstances you will be allowed to continue with the configuration even if the yellow warning banner is still present. You will know this is the case if the Verify Configuration button is active. Under these circumstances, you should review the warnings before continuing.

    Figure 523: Configure: Configuration Warnings

  35. Before completing the configuration wizard, you may choose to save a copy of the configuration as a file for future use. To download the configuration as a file, in the configuration wizard, click File at the top of the wizard and choose Save Data File. Browse to a location where you want to save the configuration file, enter a file name and click Save. You will be prompted to enter a password to encrypt the data in the file. You may choose to protect the file with a password or not. If you use a password at this time, you will need to provide this password to open the file. Keyfactor highly recommends using a strong password to protect the file. If you do not wish to use a password to protect the file, sensitive information (e.g. passwords for the service accounts entered in the configuration wizard) will be removed from the file. Once you enter a password or uncheck the encryption box, click OK to save the file.

    Important:  Keyfactor highly recommends that you use strong passwords for any accounts or certificates related to Keyfactor Command and associated products, especially when these have elevated or administrative access. A strong password has at least 12 characters (more is better) and multiple character classes (lowercase letters, uppercase letters, numeral, and symbols). Ideally, each password would be randomly generated. Avoid password re-use.

    Figure 524: Configure: Save Configuration as a File

  36. At the bottom of the Keyfactor Command Configuration Wizard dialog, click Verify Configuration.
  37. On the Configuration Operations page, review the planned operations and then click Apply Configuration. Prior to clicking Apply Configuration, you can revisit any of the Configuration Wizard tabs to review or make changes by clicking Edit Configuration.

    Figure 525: Configure: Configuration Operations

  38. When the configuration completes successfully, you will see the below message. If you didn’t save a copy of the configuration earlier, you may do so at this time by clicking Save Settings. Otherwise, click Close to close the dialog.

    Figure 526: Configure: Configuration Complete